The huge data breaches lately which included the breach at Quest Diagnostics affecting 11.9 million records and the breach at LabCorp affecting 7.7 million records. Now, University of Chicago Medicine announced a data breach with over 1.68 million records.
The ElasticSearch server that keep the information had an error in configuration taking away security controls by mistake and allowing anyone to have unauthenticated access online. Due to the error, the information of 1,679,993 donors and prospective donors was possibly exposed in the database.
Security Discovery’s Researcher Bob Diachenko found out about the unprotected database on May 28. Using the Shodan search engine, Diachenko searched for unprotected databases. Though there’s a recent alert about the increased incidents of exposed ElasticSearch and NoSQL databases, Security Discovery still report of discovering 5 to 10 massive incidents of unsecured databases every month.
The latest find includes a big group that consist of 34GB of data. Shodan indexed a cluster of data-ucmbsd2 that anyone could access online. The database included a range of data like names, telephone numbers, email addresses, addresses, birth dates, marital status, gender, wealth information and current financial state, and data about past communications.
Diachenko learned that the source of information was UC Medicine and advised the university. In just 48 hours, the ElasticSearch instance was kept secure.
UC Medicine’s statement concerning a forensic team’s comprehensive investigation confirmed that the database was not accessed by any other unauthorized entity except Diachenko. Diachenko said that he only accessed a number of the records to find out its source and did not download any information. Fortunately, the unsecured database only happened for a short while. Diachenko discovered the database just one day after Shodan indexed it.
ElasticSearch instances should be set up so that they’re only accessible to an internal system. There should be authentication controls to allow only approved persons access to the database. Misconfigurations can cause data theft and hackers could even install ransomware that encrypt or completely erase all stored data.